9.5.2 Endpoint Protection Quiz

Explanation: Antimalware programs may detect viruses using three different approaches:

• signature-based – by recognizing various characteristics of known malware files
• heuristics-based – by recognizing general features shared by various types of malware
• behavior-based – through analysis of suspicious activities

Explanation: Switches are LAN infrastructure devices interconnecting endpoints. They are susceptible to LAN-related attacks including MAC address-table overflow attacks, spoofing attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.

Explanation: The telemetry functionality in most host-based security suites provides robust logging functionality and submits logs to a central location for analysis.

Explanation: With cloud computing, boundaries of enterprise networks are expanded to include locations on the Internet for which the enterprises are not responsible. Malicious software might access the internal network endpoints to attack internal networks.

Explanation: Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system.

Explanation: The Open Source HIDS SECurity (OSSEC) software is an open-source HIDS that uses a central manager server and agents that are installed on the hosts that are to be monitored.

Explanation: The Domain profile in Windows Firewall configuration is for connections to a trusted network, such as a business network, that is assumed to have an adequate security infrastructure.

Explanation: A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system.

Explanation: The SANS Institute describes three components of the attack surface:

• Network Attack Surface – exploitation of vulnerabilities in networks
• Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-based software applications
• Human Attack Surface – exploitation of weaknesses in user behavior

Explanation: An attack surface is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.

Explanation: The SANS Institute describes three components of the attack surface:

• Network Attack Surface – exploitation of vulnerabilities in networks
• Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-based software applications
• Human Attack Surface – exploitation of weaknesses in user behavior

Explanation: Blacklisting can be used on a local system or updated on security devices such as a firewall. Blacklists can be manually entered or obtained from a centralized security system. Blacklists are applications that are prevented from executing because they pose a security risk to the individual system and potentially the company.

Explanation: To secure operating systems against threats, policies that address application system and operating system updates should be implemented so that patches and operating system updates are installed regularly.

Explanation: Adware protection is software that can can be installed on a computer system to prevent popup ads from displaying.

Explanation: A cipher lock uses buttons that are pressed in a given sequence to open the door. It can be programmed so that a user’s code may only work during certain days or times. It can also keep a record of when the door opened, and the code used to open it.